Richard Bejtlich's blog on digital security, strategic thought, and military history.

Wednesday, July 07, 2010

A Little More on Cyberwar, from Joint Pub 1

Everyone's been talking about cyberwar this week, thanks in part to the Economist coverage. Many of the comments on my posts and elsewhere discuss the need for definitions.

I thought it might be useful to refer to an authoritative source on war for the United States: DoD Joint Publication 1: Doctrine for the Armed Forces of the United States (.pdf), known as JP 1.

Incidentally, back in 1997 as an Air Force 1Lt straight from intelligence school, I worked on doctrine publications like this for Air Intelligence Agency, specifically the early doctrine on information warfare, like the August 1998 publication of Air Force Doctrine Document 2-5: Information Operations (.pdf).

What does JP 1 say about war?

War is socially sanctioned violence to achieve a political purpose. In its essence, war is a violent clash of wills. War is a complex, human undertaking that does not respond todeterministic rules. Clausewitz described it as “the continuation of politics by other means” [Book one, Chapter 1, Section 24 heading]. It is characterized by the shifting interplay of a trinity of forces (rational, nonrational, and irrational) connected by principal actors that comprise a social trinity of the people, military forces, and the government...

The use of the term "violence" would seem to preclude cyberwar as being "war." Read on however:

Traditional war is characterized as a confrontation between nation-states or coalitions/alliances of nation-states. This confrontation typically involves small-scale to large-scale, force-on-force military operations in which adversaries employ a variety of conventional military capabilities against each other in the air, land, maritime, and space physical domains and the information environment (which includes cyberspace).

The objective is to defeat an adversary’s armed forces, destroy an adversary’s war-making capacity, or seize or retain territory in order to force a change in an adversary’s government or policies. Military operations in traditional war normally focus on an adversary’s armed forces to ultimately influence the adversary’s government...

The near-term results of traditional war are often evident, with the conflict ending in victory for one side and defeat for the other or in stalemate.

We see "traditional war" involving state-on-state, military v military conflict, with the listed objectives. Those elements do not preclude cyberwar.

[Irregular Warfare, or] IW has emerged as a major and pervasive form of warfare although it is not per se, a new or an independent type of warfare. Typically in IW, a less powerful adversary seeks to disrupt or negate the military capabilities and advantages of a more powerful, conventionally armed military force, which often represents the nation’s established regime. The weaker opponent will seek to avoid large-scale combat and will focus on small, stealthy, hit-and-run engagements and possibly suicide attacks.

That is very interesting and consistent with ongoing operations.

The weaker opponent also could avoid engaging the superior military forces entirely and instead attack nonmilitary targets in order to influence or control the local populace. An adversary using irregular warfare methods typically will endeavor to wage protracted conflicts in an attempt to break the will of their opponent and its population. IW typically manifests itself as one or a combination of several possible forms including insurgency, terrorism, information operations (disinformation, propaganda, etc.), organized criminal activity (such as drug trafficking), strikes, and raids. The specific form will vary according to the adversary’s capabilities and objectives.

Here we read about engaging nonmilitary targets, very relevant to today's nation-vs-private enterprise activity. However, the following text clarifies the main idea behind Irregular Warfare:

IW focuses on the control of populations, not on the control of an adversary’s forces or territory. The belligerents, whether states or other armed groups, seek to undermine their adversaries’ legitimacy and credibility and to isolate their adversaries from the relevant population, physically as well as psychologically... What makes IW “irregular” is the focus of its operations – a relevant population – and its strategic purpose – to gain or maintain control or influence over, and the support of that relevant population through political, psychological, and economic methods.

This text shows that Irregular Warfare is thought of in JP 1 as being more like insurgency operations as witnessed in southwest Asia.

One more thought before I publish this post: I don't consider any of the following to meet the definition of war:

War on Poverty: President Lyndon Johnson declared "war" against a tragic human condition, but it's not really a war if the target is a physical condition.

War on Drugs: President Richard Nixon declared "war" against narcotics, but it's not really a war either if the target is a substance.

War on Terror: President George Bush declared "war" on terror after 9/11. While there is no doubt war happened, the target should be defined groups, like Al Qaeda, as stated by President Barack Obama -- not effects, like "terror."

Please note I keep these ideas in mind when forming thoughts on cyberwar.

Also, do I need to include a disclaimer saying "The following represents the product of writing for a limited amount of time, for zero financial gain, and is not intended to represent a PhD-level, exhaustive discourse on the subject at hand?" I assumed that since this is a blog and not the Journal of Something Really Important that such a disclaimer would be implicit.

Actually this is a good follow-up to what's being discussed in the comments of a few stories here. I was going to note that a part of war, irregular or otherwise, is disinformation. Wether it be sanctioned by the folks engaged (those testy nation states) or inferred by the press and other news disseminating properties.

The last few comments in threads have been the semantics of what defines the word "war". I think RIch did a short, but good job of giving examples where this word has lost some of it's meaning as it's been applied to the "issue du jour". I truly, as noted by Rich, get pissed off when I hear "cyber-this placed in front of everything. 20 years ago, it had that cool sci-fi thing going for it, now it sounds antiquated and anachronistic.

The key points which are brought into this discussion are the different types of warfare... I won't belabor the discussion, as most of it has occurred in other comment areas... writing off espionage as not a part or even a pretext to conventional, non-conventional or irregular war is just plain ignorant.

I didn't have the fun of serving in the military, so a lot of this was learned by experience... but I think when you have a military force, such as the USAF define these terms as cited, it should start to make things a bit more clear as to 1) where the author (Rich) is coming from and 2) where most likely the folks on The Hill (and their advisers, staff and consultants and lobbyists) work the definition to their own needs.

To offer other views on the subject, there are some good and varied discussions on this same topic (with a whole other audience) at LinkedIn and other boards and blogs. So I think think until we have Schmidt and Alexander and their crew sit down, hash out a glossary of common terms ind lingua, we'll still be here debating the same ole, same ole. Plus drag in WIlliam Gibson to slap each of them upside the head and tell them to stop using '"cyber" in front of everything...

I was in AIA back when they invented "CyberWar". Some Lt Col went to air war college, wrote a paper and then suddenly we had a "cyber-gap" to replace the commie threat and its associated *-gaps - Which would then be handily be filled with more money and "our best and brightest" aka a bunch of lt's and pipeline airmen who would sit in a dimly lit "battle lab" and issue shrill reports every time someone in China pinged a router.

Don't get me wrong, AIA had some bright people - I'm thinking Ed Jolly and the like. But "CyberWar" is a joke - it's the perfect Eisenhower "Military Industrial Complex" maneuver. You get plenty of funding, have to show basically nothing for it, throw a lot of money at the contractors and give some personnel a place to hang out for several years.

There might be cyber-espionage.There might be cyber-weapons. There might even be cyber-attacks in the scope of an actual war.

But cyber-anything is at its worst, from a military perspective, just another force multiplier. And it's useful to keep it in mind as such, but the shrill scare tactics being thrown around lately (Cyber war is real!!! Cyber War is happening now!!! (What's the proof? "I can't tell you it's classified, but trust me.")) seem more like efforts to drum up consulting business and increase federal budgets then any legitimate discussion of useful topics.

Stewart Baker (Lewis - CSIS, 2002 - http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf) coined the term "Weapons of Mass Annoyance", nothing in my 20 years in this business has led me to believe that this phrase has become any less apt then it was then.

Would a sustained "cyber-attack" be a PITA? Yep. Would it bring us to our knees? Nope. Should it be used to rationalize NSA taking an active role in "protecting" civilian assets? Nope.

Some of your comments are valid, however this statement is way off. When someone can deny you access to energy, banking, and communications things get pretty dicey very quickly. Yes, you by yourself would probably do just fine without these things. However when masses of people are affected they don't act rational. Lives would be lost IMO. It would be Katrina x100.

@all the nay sayers - My personal beliefs aside, I think its better to keep an open mind versus definitely stating that there is no "cyberwar" when you don't have access to all the facts. So what if you don't have all the information necessary to make an informed opinion, in life you rarely do. But in terms of logic, its much easier to say something might exist versus proving 100% that it doesn't exist. And all the games of semantics with the term war are weak. I would much rather hear a statement why you believe something, instead of nitpicking the use of the word.

Thanks for this, Richard, it's very interesting. I find the broad definition of IW to be a bit disconcerting. Much of what is included should, rightly, be covered first and foremost under law enforcement purview unless the nefarious actions can be directly attributed to more than just a bad actor.

I really do think that this whole area should give us all pause as the arguments (rhetoric) being used advocate a much stronger military role in everyday life, and this is not a good thing. Militaries do not operate under the same legal framework as the rest of society. We need to be exceedingly cautious in how much responsibility we grant them. I really do think that, IW or not, it must come back to a traditional war context in that we need to be very, very careful about what is or is not considered War. I again come back to China and Google and point out that motive/intent is vital in drawing any sort of conclusion (well, and the same could be said about other events, right?).

The last bit that I think is missing here is the key to this whole thing, which is finding the trigger for authorizing offensive operations. Ultimately, this cyberwar notion is (or should be) as much about getting approval to respond to an attack with a counterattack. Sure, defense and budget are important, too, but we wouldn't really care all that much here if we weren't also interested in being able to initiate an offensive response, yeah?

@Anonymous - your characterization of the "naysayer" perspective is incorrect... when you get to the heart of the disagreement, it's not whether or not things are happening (and it's really rather arrogant to assume that non-military infosec folks aren't aware of much of what's going on)... ultimately, it comes down to whether or not the military should be principally charged with response, and what really counts as an "act of war." Semantics can be very important, especially when bandying about terms like "war" that Constitutionally require a Congressional declaration. I worry that we seem to be conveniently forgetting such an obligation. Sadly, we live in an era where FUD and warmongering are convenient tools for building budgets and acquiring turf, even if it comes at the expense of civilian authority and civil liberties.

@Ben - I respect your stance on military involvement. It needs some serious oversight. I NEVER made any assumption that non-military people don't know whats going on. I merely responded to posts in earlier blogs about people wanting evidence about cyberwar because they don't have any. I'm not trying to argue military involvement. I think the military should have some role, but it still needs to be defined in depth with heavy oversight. My point is only this. People stating with certainty that something doesn't exist isn't a valid approach when can never prove that definitively. I think just alone on the public knowledge that G. W. Bush authorized offensive cyber operations in the gulf war, these people don't have a leg to stand on. Their only recourse is to play semantics and try to redefine what "cyberwar" is. Good luck with the semantics "war/conflict/attack" :-) Ben, your argument on privacy and civil liberties is separate to me. And I do not disagree with your earlier post.

@Anonymous - Any time we talk about expanding military control/responsibility to potentially supersede civilian control/responsibility, we must then also bear in mind the ideals upon which this country was (supposedly) founded, including things like civil liberties. If you've ever read Orwell's 1984, then you can see where this slippery slope leads. Combine broad cyberwar doctrine with cloud computing and the move of "all" data off of personal computers with the different set of rules by which the military operates - it's not a stretch to see the potential for major abuses (especially given the expanding role of corruption we've seen these past few decades). It takes us back to the heart of the debate between the likes of Jefferson and Adams over a strong central government vs. states rights. fwiw.

I think one of the BIG issues being discussed here is much like the same debate of strict construction of the Constitution. It was a broad document, but was very well defined in certain areas, but even then it's required re-interpretation over time. Think about what's changed in the world, society, technology and so forth in the 200+ years since it was written... do you think the landed gentry, statesmen, and farmers could foresee what we're doing with now?

Are you shaking your head sideways... No... exactly...

Continuing with static definitions f anything does EVERYBODY a great disservice. Life is ever changing and malleable, as in language (just think of the word "bad" over the past 30-40 years - it's almost an antonym of it's original meaning at times).

So "war", "cyber" or otherwise has to adapt to the tactics employed... maybe we've progressed beyond conventional warfare... think of those advances from adding airpower, nuclear weapons, and electronics on how we fight... this is just a new evolution...

The problem HERE is that we're getting too much of our personal politics, libertarian, conservative, liberal and so forth into what we want to believe (as in "what's happening) and feel who has the power to control. As I stated in an earlier response... on another thread, it's about that "observational" perspective... a "I'll believe it once I see it" scientific mentality that's served hopefully all of us well. That's at least something we do have going for us in our chosen careers.

@webjedi - I think you're oversimplifying the situation, as well as wrong to dismiss these concerns outright as just politics. There's a good reason why there was an original split in power between Congress and the President on War - not the least of which being to prevent the usurpation of power by the Executive branch, a la monarchy, despotism, or totalitarianism. Now add expansion of military powers (that fall under the Executive branch) that supersede civilian authority (like Congress) and things start to look kind of sketchy. It's not too hard to imagine getting to Orwell's world of 1984 given the direction of technology, especially when combined with the expansion of the Executive branch. A broadly defined cyberwar doctrine is just one more expediter down that slippery slope.

@Ben - I mean by letting our personal politics enter into the discussion, we're skewing the actual points of the discussion. We're bending it to how we would "like" the government, in their interaction with this particular segment of day to day life, to be.

It sounds like you have this great fear of things becoming a militaristic surveillance state. Well, I can tell you there's not enough willing bodies and people to make it or let alone, will allow it to happen.

Folks like yourself are always quick to drag out George Orwell, Ayn Rand and the like ... they we're prescient writers, but they were writers with an agenda. Much how each of us, although we try to deny it, are on here. I'm sure I'll see a quote from Nostradamus on here noting he predicted the looking "cyber conflict" through some goofy passage of his.

I general we need to look for context. Have we ceded some control uncomfortably to various parts of our government... hell yeah... but are you going to do something about it... call your congressmen or senators... start up a lobby... if you feel things are going pear shaped, get mobilized...

What Bush did for Iraq was bad as it lead a bad precedence. Congress let it happen, as did the judiciary... so, when all three let it go unchecked, do you have faith something like what we're discussing is going to be treated any differently? How about working the system from the inside? Join government, get involved on working group and committees that are charged with trying to get a handle on these things... I'm trying to fight my good fight here while still doing my day job... it's like trying to steer a whole armada of ships with no power steering...

Fair enough. Don't assume that some of us aren't working in whatever ways we can to try and contribute on this issue in a meaningful way. I'm open to suggestions on how to have a bigger impact. Joining the government workforce does not seem to me to be a particularly useful approach, short of being a secretary or under-secretary. Anyway...

@Ben - sorry to hear that doing a stint at a USG agency/organization is a useful approach. There are ways to affect things, it just takes time - remember this IS government we're talking about.

As for "Perfect Citizen", the CIP-work they talk about here was supposed to be DHS's but since they've been hamstrung with leadership and staffing/skills issues, the DoD/NSA have decided to step in. I worked on a similar program while at CERT/CC for the DOD, and to be honest, it's really needed now, not later. I guess your big heartburn has got to be who's performing the duty.

I also worked at the largest supplier of commercial energy service in the US (at the time) - and we could have used all the help we could get... when I started there in 2003, our InfoSec capability among the company was two techies, a policy guy and a manager... we grew in three years to actually having some real capabilities (even with some stumbles and politics along the way - including a merger scare) - but if these pacts are formed with groups (the Military) who have the information (the stuff always discussed as the "close hold, we can't tell you about it" items) - and a exchange framework to actively corroborate and correlate activity they are seeing - you'll have much more robust intelligence for both groups. If I had even 25% of what I picked up at CERT and DOD to work from while at the energy company, there would have been even more work for us - outside the standard policy violation, minor hacking and other activities we already responded to. It would have been fun, and I'd maybe still be back there - I envy those folks now.

I find the fun in the discovery and chase... IR/IH activities excite me, as does the architecture and engineering of security... which is why I have the job I have... while not a assistant or under-secretary for somebody, I'm trying to do my best to turn around an agency that was always seen as one that besmirched the Federal InfoSec Report Card. I have support of the CISO, as a lot of the activities he and the former CIO helped get moving are what keeps me busy today... but I haven't lost focus of WHY I'm here and what the larger goal is... I may be doing it out of duty and some sense of altruism, but it's also more visceral on the "it's a paycheck" and it keeps my interest as well... maybe in 15 years or less I could get to those vaulted levels to changes things with the signing of a pen, but I'm not holding my breath... so I do what I can and I laud you for the efforts you may be doing as well...

As usual Richard you don't make a clear point. Is your assertion that becuase some '97 air force doc defines war as violence ,etc, etc (the other grabage you mentioned) that we can't use cyber-war as a description? ... Lets take the little more neutral look at the word "war" from Merriam-Webster (though not as smart as you I think they may know a little more about word usage and meaning):

Main Entry: war 1 a (1) : a state of usually open and declared armed hostile conflict between states or nations (2) : a period of such armed conflict 2 a : a state of hostility, conflict, or antagonism b : a struggle or competition between opposing forces or for a particular end (a class war) (a war against disease)

Glad you liked my "nice post about nothing." You have such creative contributions, like quoting the dictionary and linking to other people's posts! Too bad my points aren't "clear" enough "as usual" for someone like you, who has to hide behind an anonymous label and is too afraid to contribute something meaningful on his own nonexistent blog.

The hostilities here might make one reconsider a disbelief of cyber war.

I think the reasonable resolution would be for cyber war advocates to push out verifiable evidence. In my personal opinion Aurora fell short for numerous reasons, but the discussion was fairly open with a decent amount of evidence. If we're at cyber war there should be missiles - err digital weapons flying around. To be fair, the unbelievers might develop criteria in advance of the evidence but as a blog comment isn't an academic paper I'll refrain from diving into that.

I'm not trying to pick a fight, but I'm curious what you think of this Richard. Both sides are clearly passionate, many of us have claimed to be security researchers, if we approach this as more of an academic research problem it might enable both sides to find common understanding based only on evidence and analysis.

@anonymous: "When someone can deny you access to energy, banking, and communications things get pretty dicey very quickly."

The thing is that these are not consolidated directly-interconnected systems. They are widely distributed, distinct, heterogeneous systems.

Sure, a few people might die if you shut off the power to Phoenix in the heat of summer. But what military value is there in killing off a few old people, sick people or little kids? Does this further the objectives of any potential enemy? Or are you so cynical to think that Americans will riot in the streets if the power goes out? (which I guess would probably happen in the places where it normally does and won't where it doesn't)

IMO, If you want to make the case for "cyber-war", there needs to be a rational connection from the act to the furtherance of a military objective.

Weapons of Mass Annoyance will not bring us down.

@anonymous - "@all the nay sayers - I think its better to keep an open mind versus definitely stating that there is no "cyberwar" when you don't have access to all the facts. So what if you don't have all the information necessary to make an informed opinion, in life you rarely do. But in terms of logic, its much easier to say something might exist versus proving 100% that it doesn't exist. And all the games of semantics with the term war are weak. I would much rather hear a statement why you believe something, instead of nitpicking the use of the word."

Because the associated costs are real. In terms of money, freedom, government intrusion, the blurring of the lines between military roles and civilian roles, etc.

Also, because the burden of proof is on the people pushing this agenda. I can't just assert that Santa Claus or Cyber-war are real - I have an obligation to prove it before I should expect any support.

I'm pleased to see the attention on China in these recent threads. Good to see some cages rattled. Now these posts, and recent events (see Time Magazine artiles on U.S. subs in Pacific, India vs. China, Taiwan) reminds me of a fascinating book, Robert K. Massey's Dreadnought, which was about the build up to WWI. Now there was a certain admiral Fischer that was very clear sighted and recognized that the English needed to modernize their fleet (advanced, long range guns) and he had many battles on this but ultimately he was right.

England had a simple goal: maintain a 3:1 advantage of Dreadnoughts over the Germans, knowing the Germans had the superior land army.

I think is important to consider here is, is that, as we should know from exploits, and the obvious example of the Germans skirting the French WW II defenses through a slight detour called Belgium, the enemy will find the weakest chain in the link. Now the internet was designed to be resilient, but there are weak spots, consider the devastating impact of taking out key servers. Perhaps this doesn't get all the glory of mano a mano combat, but it has the importance of bombing the ball bearing factories in Germany, or Hitler's ego-driven mistake in trying to secure Stalingrad instead of key resources. Or the Greeks foolish attempt to conquer Sicily, despite much heated debate.

Not to ramble on too much, but Massey's book on Peter the Great, mostly about Sweden's Charles the 12th's ill-fated foray into the swamps of Russia, is also worth a read, another example of a superior, highly skilled, technologically advanced army hobbled by poor decision making.Fortunately, due to hierarchical structures perhaps, the clever leaders (Peter the Great) listen to the clear, rational thinking. Anyway, keep up the good work, if it's anything we need today, it's more of the rational and less of the nonrational and irrational. (Great quote from Clausewitz).